Your message dated Mon, 02 Mar 2026 19:19:01 +0000
with message-id <[email protected]>
and subject line Bug#1111087: fixed in lxc 1:6.0.6-1
has caused the Debian Bug report #1111087,
regarding Namespaces are unavailable for non-root containers
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1111087: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111087
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: liblxc-common
Version: 1:6.0.4-4+b3
It seems the fix for #1098521 (0003-apparmor-4x-userns.patch) is
incomplete and a hunk for config/apparmor/abstractions/container-base
(without .in) is missed.
I have experienced issues with non-root unprivileged containers after
upgrade to Debian 13 trixie. Systemd units with User=... directive fail
(trixie container, download template, e.g. systemd-networkd.service),
applications can not create namespaces for additional isolation even in
Debian 12 bookworm containers.
Container:
systemd[1]: systemd-resolved.service: Main process exited,
code=exited, status=217/USER
Host:
audit: type=1400 audit(1766123064.132:280): apparmor="DENIED"
operation="userns_create" class="namespace"
profile="lxc-container-default-cgns"
I have found #1098521 that is fixed, but "userns," line is missed in
/etc/apparmor.d/abstractions/lxc/container-base. Accordingly to
config/apparmor/README the file needs explicit manual update after
modification of the ".in" template. I expect that the applied fix is
enough for "generated" AppArmor profile for containers running by root,
but not for non-root containers.
I have noticed #1111087, but the related merge requests modifies mount
rules.
I hope, adding "userns," to container-base will not ruin isolation of
privileged containers.
The following workaround allows avoid issues for non-root fully
unprivileged containers:
Add "userns," line in the beginning of /etc/apparmor.d/abstractions/lxc/
container-base and run
apparmor_parser -r -W -T /etc/apparmor.d/lxc-containers
Alternatively if namespaces are not necessary for applications running
inside containers then isolation of specific systemd units with User=
directives may be relaxed for trixie guests
/etc/systemd/system/systemd-networkd.service.d/disable-namesplaces.conf
LockPersonality=no
MemoryDenyWriteExecute=no
ProtectClock=no
ProtectKernelLogs=no
ProtectKernelModules=no
RestrictAddressFamilies=
RestrictNamespaces=no
RestrictRealtime=no
RestrictSUIDSGID=no
SystemCallArchitectures=
SystemCallFilter=
# E.g. systemd-networkd should have it
PrivateDevices=no
PrivateTmp=no
# for polkit.service
ProtectHostname=no
# Added by recent versions lxc generator
# for "download" template,
# it may be necessary for upgraded containers.
ImportCredential=
PrivateNetwork=no
Unless constant troubles with kernel and AppArmor bugs causing issues
with non-root containers I would set higher priority to this issue.
Please, consider update of 0003-apparmor-4x-userns.patch to add a hunk with
userns,
for the config/apparmor/abstractions/container-base file.
--- End Message ---
--- Begin Message ---
Source: lxc
Source-Version: 1:6.0.6-1
Done: Mathias Gibbens <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lxc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mathias Gibbens <[email protected]> (supplier of updated lxc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Mar 2026 18:56:20 +0000
Source: lxc
Architecture: source
Version: 1:6.0.6-1
Distribution: unstable
Urgency: medium
Maintainer: pkg-lxc <[email protected]>
Changed-By: Mathias Gibbens <[email protected]>
Closes: 1111087 1124467 1128845
Changes:
lxc (1:6.0.6-1) unstable; urgency=medium
.
[ Mathias Gibbens ]
* New upstream release (Closes: #1128845)
- Update lxc-default-with-nesting apparmor profile (Closes: #1111087)
- Drop patches applied upstream
- Update d/liblxc1t64.symbols
* d/control:
- Drop ${shlibs:Depends} from lxc-dev
* Update years in d/copyright
.
[ Yangfl ]
* Add Chinese debconf templates translations (Closes: #1124467)
Checksums-Sha1:
c7a9f2fa7b3781c15b20e46f723048b9844b47fb 2929 lxc_6.0.6-1.dsc
0e72d7a2fa42af591027aef61e5b3ad5b6476e93 963412 lxc_6.0.6.orig.tar.gz
be5f59e3886bd8490513ea5623abfc869d691cf8 833 lxc_6.0.6.orig.tar.gz.asc
36db946a348c74d435038a3cc3047ae1a4b9022b 54496 lxc_6.0.6-1.debian.tar.xz
2a1e1469093c1a8231c0354803d7bfa2e1a4906d 14003 lxc_6.0.6-1_amd64.buildinfo
Checksums-Sha256:
096ebfc867fa40bfe00442ca9d4b64a1d554d07c4a12b48722d4fa78fd8b4f9c 2929
lxc_6.0.6-1.dsc
b0ba4537258d2b848fd07dedb1044dab132de3fb3f1976d240da40a7dee1b8cf 963412
lxc_6.0.6.orig.tar.gz
9265632ca7af5e2ed2893d79674e1d845125cd50cda03f51eb6d61796d1618f3 833
lxc_6.0.6.orig.tar.gz.asc
a6ddf00da268841d68006bd2048653fe27c5a38a69cd6ff7c8d9ca2dcf4adf18 54496
lxc_6.0.6-1.debian.tar.xz
7cd638ea14f3a99edd19a27f4c50d7aa800dd5cc0c421780a427a06d48ed45c1 14003
lxc_6.0.6-1_amd64.buildinfo
Files:
f24ef13b3cde904b26dea06dabb3d4da 2929 admin optional lxc_6.0.6-1.dsc
c1edb4b3a2835996c8916b2d36fc5732 963412 admin optional lxc_6.0.6.orig.tar.gz
3bd6194875adc589b33fd13b1311a229 833 admin optional lxc_6.0.6.orig.tar.gz.asc
7c4cff1e5f4533e9cf5d44f99870b4bf 54496 admin optional lxc_6.0.6-1.debian.tar.xz
dfb8b393b594a8f860c5db59cdf485f3 14003 admin optional
lxc_6.0.6-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCgAwFiEE1Bp60H32xfynSJ8cKe7i1uz0QvkFAmml3n0SHGdpYm1hdEBk
ZWJpYW4ub3JnAAoJECnu4tbs9EL5M/IQAL1uX1Sg7f9paqnBEAGsH9L2X3yzsxRC
JlcLFVJlcoEwm3eodM5aOix1FF33KstzHRjYDejUsxyfLsJ77BdyjkuRPvflQEw2
xfkaPCehyobn34McPUopIFum1JV7iZ+bPuQL6Kv6BEwJfLSX2EVOGv979A0/meBR
A1YC2sx8EzrP16AxxyUjuscCxOTFaaag5xxmdKn5Ay+XSAzdOzDUyT1g3bHeJ1eD
heQCC85UALADsaUwNulFXmpWyg7Stefx40wo9QbW+HfOV1lyze7TqkxotEVK2xHu
ijFZIsGmBjylH1TlmpIOsEVjuc0rEcUjyHNtYTDHhqXKzXvtRvG5McoSXJSWARWM
I9kFOHsRvqn/yUCZgzxipF41i6HAKDobOk8hOWnt1y8qRyrVVg9s4brheeu0MWF4
HcLgI6FybWqkpu2XZAvTk6Q0sypYAjLeSwzNnv93elg4e4IlDQldwzqorB58LgL1
yOulKlwuNEf9oh85BcwZsAClLj2OciR8F3JkQgKFVPNMMDLMu0x2pbF7uJPaP7lx
PLGRFAATS9NsqItVe0WDJS/3Wza3j38At9U6fpkUpgmXlJxBnAk81lRJqdMuBdU4
31cZEbeb1605L5XvE3cDwBHsxBdxx7Ec5VwiLxX/PvV4Ql+kWNhJ0Ejk77C3V7wL
qKSh1yDfAUas
=6Oq3
-----END PGP SIGNATURE-----
pgpUCIoJDcPdf.pgp
Description: PGP signature
--- End Message ---
